4 Answers
4

The points noted in Bob's answer are all valid, so I won't bother repeating them; however, I thought a little additional information might also be helpful for some, as your question is a valid concern.

Opera's Wand feature allows you to specify how frequently to ask for your master password under Preferences > Advanced > Security > Ask for password with selections such as "Once per session" (which, as Bob correctly points out, limits your security), "Every x minutes/hours" (if you don't mind fiddling with .ini files, you can customise your own frequency), and "Every time needed" (obviously the most secure option as your password will not be stored in memory during your browsing session). I don't use Firefox but can imagine that there's a similar extension available somewhere.

The Wand data is stored in a file called, wait for it, wand.dat in a format that can be deciphered with relatively little effort if no master password is used; if you do use a master password, it is encrypted using a random component and your master password with an algorithm that currently escapes me (should be easy to look up though).

If you use a password for a site whose security is more important to you than the average login, you can simply choose not to save the password.

Private tabs in Opera (or their equivalent in other browsers) allow you to store that tab's session data separately from that in "normal" tabs, which may add another layer of security.

The security model used in Chrome and its derivatives (that is, sandboxing each tab in a
separate thread) gives you even greater security.

You can guard against keyloggers and such by regularly:

updating your anti-virus and firewall software; and

changing your passwords.

To sum up:

Your browser's level of security and that of your logins is up to you to a large extent.

If someone was very skilled and resourceful, they could probably get at your data eventually despite all the above precautions, but it would make your browser's data far more secure and would raise the level of sophistication required to crack it significantly.

If you have malware on your computer, no passwords entered or stored on it can be considered truly safe. Even encrypted passwords such as KeyPass databases, as soon as you enter the details required to decrypt it the attacker can retrieve your passwords.

Browsers typically do not pay very much attention to the security of saved passwords, at least not with default settings.

Let's say you get a trojan, which steals data from your PC. Can the trojan decrypt stored passwords by browsers, and use them?

In a word: yes. Browsers typically do not encrypt remembered passwords, so they can be read with trivial effort. Encryption with a stored key is useless anyway: if the browser is able to decrypt it, other programs running on the same computer can do the same.

I'm most familiar with Firefox, so I'll go with that.

Firefox allows you to set a 'master password'. If you do, it encrypts the stored passwords with the master password. However, for the sake of convenience, you only have to log in using this master password once per session. Once you are logged in, the information necessary to decrypt saved passwords is stored in memory, and can be accessed. A more secure and cumbersome approach would have been to require the master password to be typed every time Firefox needed to look up a saved password.

Even if the saved passwords were perfectly encrypted and completely inaccessible, they must be decrypted and entered on web forms at some point. Which means holding the passwords, unencrypted, in memory. There are actually quite a few 'asteriskrevealer' programs designed to grab those passwords out of memory and, well, reveal them. Malware could theoretically do the same.

And malware could also keylog you, allowing the attacker to retrieve any password you typed.

There's a very in-depth study of password security across major browsers (IE, Chrome, FF) here. To summarise, both Chrome and IE10 rely on Windows' encryption routines, which are considered strong. However, they do not protect against other programs running under the same user, i.e. they are useless against malware. Again, any executing program (as Administrator) can grab information from memory or by keylogging anyway.

The method of encryption is most important when you consider the possibility of theft of your saved data for later analysis, e.g. someone sneaking in and copying off your or stealing your computer. In general, all modern browsers do a decent job of protecting against that form of attack. Firefox with a good, strong password is again preferred, since the Windows encrypted data can be recovered by logging into the Windows user account, and the Windows password is not fully safe any longer. Do note that none of it will stop a very determined attacker.

Uhm... that's a bit misleading, actually. You failed to mention that tools like these either don't work at all on logins protected by a master password or need the master password to "decrypt" the login details. At least this goes for Opera/Chrome/Firefox, not sure what IE does, you may well be right there.
–
Amos M. CarpenterApr 30 '12 at 0:06

Lastpass and software like it are good convenient answers. While they don't give you total security (you still need to do the basics like firewall, anti virus, ect.) it's a good way of managing your passwords. Also due to the fact that it's stored on the magical cloud you can access them from anywhere (unlike some local software where you have to store in on your machine to access it).

I would note, again, that this would not protect against malware running locally. Firstly, malware could intercept your Lastpass master password. Two-factor authentication can protect against that, but then you could leak the passwords in the process of typing them into the destination webpage. Fact of the matter is, if malware is running (elevated) on your machine, your unencrypted data is screwed. And your encrypted data is screwed as soon as you try to access it.
–
BobAug 18 '13 at 16:32

(It's still a good suggestion [I personally use Keepass, none of that cloud rubbish], but I must address the point raised in the question.)
–
BobAug 18 '13 at 16:33

@Bob there's also the problem that even on the local machine malware can do the same thing intercepting passwords. Copy and paste can be traced too, so as you use a password it's tracked. There is no good way , 2 factor authentication is REALLY hard to beat tho.
–
GriffinAug 18 '13 at 23:06

Yup, I'm not saying Keepass is any more secure against locally run malware.
–
BobAug 19 '13 at 0:59

:( I hate malware. If computers were sex, malware would be some dickhead poking holes in all the condoms.
–
GriffinAug 19 '13 at 1:04